Re: [OAUTH-WG] Call for Adoption

John Bradley <ve7jtb@ve7jtb.com> Thu, 28 January 2016 02:06 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00F821A1AAD for <oauth@ietfa.amsl.com>; Wed, 27 Jan 2016 18:06:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GnculfuQYjGm for <oauth@ietfa.amsl.com>; Wed, 27 Jan 2016 18:06:39 -0800 (PST)
Received: from mail-qg0-x234.google.com (mail-qg0-x234.google.com [IPv6:2607:f8b0:400d:c04::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B61D1A1AA8 for <oauth@ietf.org>; Wed, 27 Jan 2016 18:06:38 -0800 (PST)
Received: by mail-qg0-x234.google.com with SMTP id b35so23113669qge.0 for <oauth@ietf.org>; Wed, 27 Jan 2016 18:06:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=lJlMoeoW4FxaykFNikRitTwwiQQjvCTWZVLt5o5hmQk=; b=N4k0Ll3UOqtbr1UFsZ/kJAVHs32zefIPIxlT/7RSEPtExlWVfJ0N+qWuZKAVgJt5oc awT47JPEEAWEvTzLw2kMnI4JZNbqwfIkWKg/lkCN2G/upTHOFfCVGj4cKS3hJdSFMzx+ eMWpqCaUlT8mP4ZQ1P/HCaH6gazAi5HtyLMHtqcBJEDsYcRK8QLtiqBY1ARIZAG/NV0C wL7lIHaTlHcJIhyEP1rrc87o468+B3OFvgzVDD3dvl8v1HTO6cCUZKLFD2EAtMat5WJY 6T3S6ur22zgiETGFTAF9QBlUnHywbGqdQ9/QUnjNzaitVVw0UMSypHQxWVStFdh9Knpw Dd3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=lJlMoeoW4FxaykFNikRitTwwiQQjvCTWZVLt5o5hmQk=; b=NFJMX29cEQlAt/1Fh0kArFDUTi/MVNfs5FKsIfLxtWddrCElvphFFPLlPYAMKyJkgX obTLH7a4hF8r38sFnTpmDRhEN1KbP1O93AwhMlVKwnzl7SyivBV3UQ0pCEpbtWUnJQgt Av99QyS7skNY/P1C21XImu4WCAIJtEXK0eSqAFc9idiWPvABm6fzCfni3Y3zmhFMob+5 59jzFqRnpiIPQda35GqdFO1TjcE9/9mYe6Nu/Wp38sO2wUJg9pEBwnfMMIblPkM8wqTp qq92XCyM8JUiBy2IdgRNi6FA+Xv2lybgw7ICx6XV9eKoX/VvshIOuXYX1XQZXc9C2/iF KJ0A==
X-Gm-Message-State: AG10YOR5AxSuVp0F40WnMmuI/DLdb0ipG16G3ZQQlbun6vDiILKSc4y1HDI1OHL85MZa3w==
X-Received: by 10.140.108.229 with SMTP id j92mr569322qgf.17.1453946797839; Wed, 27 Jan 2016 18:06:37 -0800 (PST)
Received: from [192.168.1.35] ([191.115.81.165]) by smtp.gmail.com with ESMTPSA id w71sm3573527qha.30.2016.01.27.18.06.32 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 27 Jan 2016 18:06:36 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_C99980D2-FBA2-41E3-A105-63C68B2A4F3B"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <1955C44F-BE12-4F1E-899F-546C65ACB657@mit.edu>
Date: Wed, 27 Jan 2016 23:06:26 -0300
Message-Id: <7C86947F-7583-4733-B95F-527D17D66F95@ve7jtb.com>
References: <569E2076.2090405@gmx.net> <CABzCy2DehwZh2gd_6oNy69O+qxowva00qZWnX8uWX2n4h+kPLw@mail.gmail.com> <BY2PR03MB442EA7CE4F9728C2E39BBEAF5C30@BY2PR03MB442.namprd03.prod.outlook.com> <EE414329-AA2A-4F99-841B-0581E4F4605F@mit.edu> <CABzCy2A9RCONixTG+ZFD8sz6FTD-o1Do8iV2gX2=pKu+PenT-A@mail.gmail.com> <BY2PR03MB442DE057967872C63A56DF8F5C40@BY2PR03MB442.namprd03.prod.outlook.com> <CABzCy2Co2okoC_hxy3bLTzbGm3nuQiULM3XqkJMwiV_5iU9-=Q@mail.gmail.com> <CA+k3eCSfXQng6PzhWR-Qjyp=SO1LYnfXH7qqzb-5btqWaJJX-A@mail.gmail.com> <BY2PR03MB4422882B74ED659DB47CECDF5C40@BY2PR03MB442.namprd03.prod.outlook.com> <CABzCy2CC8jN6kzxbJ70m900g4J1VW2b65gM_M1dhx6YXfWVhdQ@mail.gmail.com> <CA+k3eCSiEcE-YRG+ej+zJuEHOwqO4oyvvGmKWv5SeMUu4dVPrA@mail.gmail.com> <56A78EEF.4090706@aol.com> <CA+k3eCQh+KfX8+NONECjVj2ZX_e=JFFM4fF7XXcxwWJ-kii9Tw@mail.gmail.com> <56A7C3E8.8080601@aol.com> <CA+k3eCREJUx4Mb_aciKJoq03j0tdmwB2LEPw7GvZA1ZOBNhq+w@mail.gmail.com> <CABzCy2C69JAadYfaZNXgfMaAiJJOuXoKGkC3vC+x8KnhXPHpKw@mail.gmail.com> <56A8794C.2040304@pingidentity.com> <c8c693abce3e7f013d3af38f3b9333fb@gmail.com> <E63EF38B-8A63-4490-8A07-56CD2A3B7E4B@ve7jtb.com> <CA+k3eCT4VneEPSgBX0Ydf=QwUcpHN-2w7rsmQ3gOCs1T44vjvQ@mail.gmail.com> <CABzCy2AKhajiCpJO8FgL1sTLRBvDWjUkj-bzAXaobmBR2FHCsQ@mail.gmail.com> <E6CE5F6B-E973-4570-8EA5-080FB27CBBE7@mit.edu> <CABzCy2B6Py5-RJ3VL5w8Yxm1hm=XxQjiHVG15wEQVVsQhZVO5w@mail.gmail.com> <1955C44F-BE12-4F1E-899F-546C65ACB657@mit.edu>
To: Justin Richer <jricher@mit.edu>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/_pgflOOrjTt_bLxaPIKzS_EPt4I>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for Adoption
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jan 2016 02:06:43 -0000

I agree, common origin mapping for OAuth would be a horrible road to go down.    Pattern matching redirect URI has been a thorn in Facebook’s side that has never worked.  

At best it would be security theatre, and cripple many legitimate use cases.

John B.

> On Jan 27, 2016, at 11:02 PM, Justin Richer <jricher@mit.edu> wrote:
> 
> Definitely the latter. I don’t think the requirement actually helps secure things in practice and artificially limits things otherwise.
> 
>  — Justin
> 
>> On Jan 27, 2016, at 7:19 PM, Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>> wrote:
>> 
>> You mean the string comparison on authority section would allow execution of some code? Or are you suggesting that not checking the path portion would allow the attacker to plant something on the other paths on the host? 
>> 
>> Yes, the later is possible especially when there are user generated content on the same host, and if we are worried on it, we would have to do the discovery. 
>> 
>> Nat 
>> 
>> 2016年1月28日(木) 5:45 Justin Richer <jricher@mit.edu <mailto:jricher@mit.edu>>:
>> Unless I’m missing something, requiring the authority section to match discounts attackers being able to deploy executable code on a path. This kind of hole was exploited in a number of Facebook hacks. Yes I’m aware that those were dealing with redirect URIs but we’re talking about the same kind of sub-component URI matching here, and I can only see it getting us into trouble.
>> 
>>  — Justin
>> 
>> 
>>> On Jan 27, 2016, at 1:15 PM, Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>> wrote:
>>> 
>>> yeah. 
>>> 
>>> But for Google, Microsoft, etc., every RP can whitelist, cannot they? ;-)
>>> 
>>> Otherwise, for a code phishing attack, you need to implement discovery of some sort. My thinking before reading your email was: 
>>> 
>>> if( authority(authz_ep)==authority(token_ep) ) {
>>>    get_token(token_ep, code, client_credential);
>>> } else {
>>>     get_token(token_ep_from_discovery(), code, client_credential);
>>> } 
>>> 
>>> where token_ep_from_discovery() either returns the value of the toke_endpoint member from .well-known/openid-configuration OR the value of turi parameter in the query. 
>>> 
>>> 2016年1月28日(木) 2:03 Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>>:
>>> There's at least one smallish deployment that has a different authority for the Authorization Endpoint and the Token Endpoint.
>>> 
>>> from https://accounts.google.com/.well-known/openid-configuration <https://accounts.google.com/.well-known/openid-configuration> :
>>> 
>>> {
>>>  "issuer": "https://accounts.google.com <https://accounts.google.com/>",
>>>  "authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth <https://accounts.google.com/o/oauth2/v2/auth>",
>>>  "token_endpoint": "https://www.googleapis.com/oauth2/v4/token <https://www.googleapis.com/oauth2/v4/token>",
>>>  "userinfo_endpoint": "https://www.googleapis.com/oauth2/v3/userinfo <https://www.googleapis.com/oauth2/v3/userinfo>",
>>>  "revocation_endpoint": "https://accounts.google.com/o/oauth2/revoke <https://accounts.google.com/o/oauth2/revoke>",
>>>  "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs <https://www.googleapis.com/oauth2/v3/certs>",
>>>  ...
>>> }
>>> 
>>> 
>>> On Wed, Jan 27, 2016 at 6:30 AM, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote:
>>> It think requiring a common authority segment for the authorization endpoint and the token endpoint might work in common cases, but there are legitimate cases where the URI of the Authorization endpoint might be a alias in the case of multi tenants, all using a common token endpoint.
>>> 
>>> The larger problem would be the RS, it is not uncommon to have the AS and RS in different domains,  so with bearer tokens unless you make the same authority restriction for RS then you are not really stoping the attacker.   They can get the AT by impersonating the RS.
>>> 
>>> I think trying to enforce a common origin policy over OAuth would be a bad direction to go.
>>> 
>>> I understand that it seems like a easy fix on the surface, and it works for most of the things people are using OAuth for today, but would be quite limiting over the long term.
>>> 
>>> John B.
>>> > On Jan 27, 2016, at 7:31 AM, sakimura@gmail.com <mailto:sakimura@gmail.com> wrote:
>>> >
>>> > Hi Hans,
>>> >
>>> > Sorry, I mixed up the IdP mix-up attack and the code phishing attack.
>>> >
>>> > Mandating the Authorization and Token Endpoint being in the same
>>> > authority would solve the later without changing the wire protocol.
>>> >
>>> > For AS mix-up attack, mandating the client to change the redirection endpoint
>>> > per AS would solve the problem without change the wire protocol.
>>> >
>>> > If these are not possible, then we would have to look at changing the
>>> > wire protocol. The solution that solves the both cases must
>>> > provide the token endpoint URI authoritatively, which means
>>> > you have to mandate some variation of discovery mandatory.
>>> >
>>> > Nat
>>> >
>>> >
>>> > At 2016-01-27 17:01  Hans Zandbelt wrote:
>>> >> I don't see how that can deal with the specific form of the attack
>>> >> where the Client would have sent the authorization request to the
>>> >> legitimate authorization endpoint of a compromised AS and believes it
>>> >> gets the response from that, where in fact it was redirected away to
>>> >> the good AS.
>>> >> IOW, I don't think this is so much about mixing up endpoints where to
>>> >> send stuff to, but mixing up the entity/endpoint from which the Client
>>> >> believes the response was received. That may just be terminology
>>> >> though.
>>> >> Bottom line as far as I see is that a wire protocol element in the
>>> >> response is needed to tell the Client who issued it, regardless of how
>>> >> the Client deals with configuration of the AS information.
>>> >> Hans.
>>> >> On 1/27/16 1:31 AM, Nat Sakimura wrote:
>>> >>> So, is there a lot of cases that the authority section of the Good AS's
>>> >>> Authorization Endpoint and the Token Endpoints are different?
>>> >>> If not, then requiring that they are the same seems to virtually remove
>>> >>> the attack surface for the mix-up related attacks. It does not introduce
>>> >>> new parameter nor discovery. If it can be done, it probably is not worth
>>> >>> adding a new wire protocol element to mitigate the mix-up variants.
>>> >
>>> >
>>> > _______________________________________________
>>> > OAuth mailing list
>>> > OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>